On Wed, 26 Jan 2000, Jerry Feldman wrote:
> The group is an older way to allow sharing of data between users. The
> practice of assigning a unique group to each user is somewhat recent.
> IMHO, it is a way system managers can impose a bit more privacy on a
> shared system. My preference in a multi-user system is to group user
> based on their organization. Users should be aware of basic Unix
> security and how to use chmod and umask. There are better security
> methods today, but the basic Unix security model is simple and easy to
> administer.
Group permissions can also be used to TAKE AWAY permissions, which is
often overlooked. Say you have a game program, like gnu chess that you
want to restrict access to. (I specifically avoid quake here, since it's
just about impossible to run anything else at the same time, so you'd only
install it on a personal workstation anyway...) Maybe you have some users
that play it while other people are trying to run simulations, whatever.
You could give the binary its own group, and give the group no permission
to access the binary, like this:
-rwx---r-x 1 root lusers 129228 Aug 14 15:20 /usr/bin/gnuchess
Anyone who was in the group lusers could not run this binary. :) On some
systems it's sufficent for the user to be a member of the group (in
/etc/groups) and on others it must be their primary group. Depends on how
your system handles group permissions.
Thank you for watching Derek's stupid Unix tricks, that's all for today
kids!
Oh, and I'd debate wether other security methods are better if you could
define what "better" actually meant, but I'm too tired to care...
--
"Quis custodiet ipsos custodes?" "Who watches the watchmen?"
-Juvenal, Satires, VI, 347
Derek D. Martin | Senior UNIX Systems/Network Administrator
Arris Interactive | A Nortel Company
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
